Threat Landscape Dashboard

Top 10 Campaigns

A large-scale campaign was discovered that used Facebook pages to spread malware to mobile and desktop environments with a focus on Libya. The social media pages included malicious links to documents that contained fake information about the latest airstrikes and the capturing of terrorists. The threat actor also set up a fake Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar, which had more than 11,000 followers.

A new campaign was discovered that has been in operation since early 2019. The threat actor behind the operation uses multiple tools including one dropper known as “Topinambour”. Successful exploitation allows the attacker to gain access to sensitive data as well as upload, download, and execute files under their control.

The threat group behind the campaign is using the Ratsnif remote access trojan family to carry out attacks that perform a range of malicious activity including packet sniffing, ARP poisoning, DNS poisoning, HTTP injection, and MAC spoofing. The group of trojans have been under active development since 2016.

Multiple threat groups with ties to China have updated their arsenal to include the exploit for the Microsoft Equation Editor vulnerability classified under CVE-2018-0798. Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory.

The TA505 threat group was found targeting multiple countries including United Arab Emirates, Morocco, Saudi Arabia, India, Japan, Argentina, the Philippines, and South Korea. The actor distributed a range of malware including downloaders, backdoors, and remote access trojans including FlowerPippi, Gelup, and FlawedAmmyy.

The threat group behind the campaign has been in operation since at least 2012 and initially focused on attacking the video game industry. Over time the group expanded their attacks to other sectors around the world including telecom, automotive, education, and travel to name a few. The threat actor is financially motivated in some attacks and focused on stealing sensitive information in others.

A state-sponsored attack group was discovered compromising IoT devices including a VOIP phone, an office printer, and a video decoder at multiple companies. The threat actor used the IoT devices to gain an initial foothold into the company and then used various tools and techniques to move across the network and establish persistence.

A cyber espionage operation was discovered targeting the government, military, education, police, and foreign affairs sectors in the Central and South American regions. The threat actor behind the campaign used spear-phishing emails with malicious attachments to drop the Machete backdoor capable of exfiltrating sensitive information including screenshots, keystrokes, documents, and geolocation.

The Cloud Atlas threat group was discovered targeting multiple sectors with spear-phishing emails that contained malicious Microsoft Office documents. The group focused on high profile targets in Russia, Central Asia, and Ukraine and dropped a backdoor known as VBShower.

The Silence Group has been in operation since at least 2016 and target financial institutions in multiple countries around the world. The threat actor has updated their arsenal over time and use a range of tools including TrueBot, Ivoke, EDA, and the Atmosphere Trojan to control ATM machines.